linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
@ 2008-11-07 20:26 John W. Linville
  2009-02-08 20:25 ` [stable] " Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: John W. Linville @ 2008-11-07 20:26 UTC (permalink / raw)
  To: linux-wireless; +Cc: John W. Linville, Andrew Morton, Johannes Berg, stable

This addresses the bug report here:

	http://bugzilla.kernel.org/show_bug.cgi?id=3D11975

Reported-by: Daniel Marjam=C3=A4ki <danielm77@spray.se>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/mac80211/debugfs_sta.c |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 189d0ba..2e6752a 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -184,7 +184,6 @@ static ssize_t sta_agg_status_write(struct file *fi=
le,
 	char buf[32];
 	int buf_size, rs;
 	unsigned int tid_num;
-	char state[4];
=20
 	memset(buf, 0x00, sizeof(buf));
 	buf_size =3D min(count, (sizeof(buf)-1));
@@ -199,35 +198,31 @@ static ssize_t sta_agg_status_write(struct file *=
file,
 		/* toggle Rx aggregation command */
 		tid_num =3D tid_num - 100;
 		if (tid_static_rx[tid_num] =3D=3D 1) {
-			strcpy(state, "off ");
 			ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
 					WLAN_REASON_QSTA_REQUIRE_SETUP);
 			sta->ampdu_mlme.tid_state_rx[tid_num] |=3D
 					HT_AGG_STATE_DEBUGFS_CTL;
 			tid_static_rx[tid_num] =3D 0;
 		} else {
-			strcpy(state, "on ");
 			sta->ampdu_mlme.tid_state_rx[tid_num] &=3D
 					~HT_AGG_STATE_DEBUGFS_CTL;
 			tid_static_rx[tid_num] =3D 1;
 		}
 		printk(KERN_DEBUG "debugfs - try switching tid %u %s\n",
-				tid_num, state);
+				tid_num, tid_static_rx[tid_num] ? "on" : "off");
 	} else if ((tid_num >=3D 0) && (tid_num <=3D 15)) {
 		/* toggle Tx aggregation command */
 		if (tid_static_tx[tid_num] =3D=3D 0) {
-			strcpy(state, "on ");
 			rs =3D  ieee80211_start_tx_ba_session(hw, da, tid_num);
 			if (rs =3D=3D 0)
 				tid_static_tx[tid_num] =3D 1;
 		} else {
-			strcpy(state, "off");
 			rs =3D  ieee80211_stop_tx_ba_session(hw, da, tid_num, 1);
 			if (rs =3D=3D 0)
 				tid_static_tx[tid_num] =3D 0;
 		}
 		printk(KERN_DEBUG "debugfs - switching tid %u %s, return=3D%d\n",
-				tid_num, state, rs);
+				tid_num, tid_static_tx[tid_num] ? "on" : "off", rs);
 	}
=20
 	return count;
--=20
1.5.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
  2008-11-07 20:26 [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write John W. Linville
@ 2009-02-08 20:25 ` Greg KH
  2009-02-13 21:30   ` John W. Linville
  0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2009-02-08 20:25 UTC (permalink / raw)
  To: John W. Linville; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable


John, the patch below seems to have David Miller's ack that he applied
it to a tree back in November, but I don't see it in Linus's tree
anywhere.  Did something happen to it?

confused,

greg k-h

On Fri, Nov 07, 2008 at 03:26:59PM -0500, John W. Linville wrote:
> This addresses the bug report here:
>=20
> 	http://bugzilla.kernel.org/show_bug.cgi?id=3D11975
>=20
> Reported-by: Daniel Marjam=E4ki <danielm77@spray.se>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: stable@kernel.org
> Signed-off-by: John W. Linville <linville@tuxdriver.com>
> ---
>  net/mac80211/debugfs_sta.c |    9 ++-------
>  1 files changed, 2 insertions(+), 7 deletions(-)
>=20
> diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
> index 189d0ba..2e6752a 100644
> --- a/net/mac80211/debugfs_sta.c
> +++ b/net/mac80211/debugfs_sta.c
> @@ -184,7 +184,6 @@ static ssize_t sta_agg_status_write(struct file *=
file,
>  	char buf[32];
>  	int buf_size, rs;
>  	unsigned int tid_num;
> -	char state[4];
> =20
>  	memset(buf, 0x00, sizeof(buf));
>  	buf_size =3D min(count, (sizeof(buf)-1));
> @@ -199,35 +198,31 @@ static ssize_t sta_agg_status_write(struct file=
 *file,
>  		/* toggle Rx aggregation command */
>  		tid_num =3D tid_num - 100;
>  		if (tid_static_rx[tid_num] =3D=3D 1) {
> -			strcpy(state, "off ");
>  			ieee80211_sta_stop_rx_ba_session(sta->sdata, da, tid_num, 0,
>  					WLAN_REASON_QSTA_REQUIRE_SETUP);
>  			sta->ampdu_mlme.tid_state_rx[tid_num] |=3D
>  					HT_AGG_STATE_DEBUGFS_CTL;
>  			tid_static_rx[tid_num] =3D 0;
>  		} else {
> -			strcpy(state, "on ");
>  			sta->ampdu_mlme.tid_state_rx[tid_num] &=3D
>  					~HT_AGG_STATE_DEBUGFS_CTL;
>  			tid_static_rx[tid_num] =3D 1;
>  		}
>  		printk(KERN_DEBUG "debugfs - try switching tid %u %s\n",
> -				tid_num, state);
> +				tid_num, tid_static_rx[tid_num] ? "on" : "off");
>  	} else if ((tid_num >=3D 0) && (tid_num <=3D 15)) {
>  		/* toggle Tx aggregation command */
>  		if (tid_static_tx[tid_num] =3D=3D 0) {
> -			strcpy(state, "on ");
>  			rs =3D  ieee80211_start_tx_ba_session(hw, da, tid_num);
>  			if (rs =3D=3D 0)
>  				tid_static_tx[tid_num] =3D 1;
>  		} else {
> -			strcpy(state, "off");
>  			rs =3D  ieee80211_stop_tx_ba_session(hw, da, tid_num, 1);
>  			if (rs =3D=3D 0)
>  				tid_static_tx[tid_num] =3D 0;
>  		}
>  		printk(KERN_DEBUG "debugfs - switching tid %u %s, return=3D%d\n",
> -				tid_num, state, rs);
> +				tid_num, tid_static_tx[tid_num] ? "on" : "off", rs);
>  	}
> =20
>  	return count;
> --=20
> 1.5.4.3
>=20
> _______________________________________________
> stable mailing list
> stable@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/stable
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
  2009-02-08 20:25 ` [stable] " Greg KH
@ 2009-02-13 21:30   ` John W. Linville
  2009-02-13 23:43     ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: John W. Linville @ 2009-02-13 21:30 UTC (permalink / raw)
  To: Greg KH; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable

On Sun, Feb 08, 2009 at 12:25:27PM -0800, Greg KH wrote:
> 
> John, the patch below seems to have David Miller's ack that he applied
> it to a tree back in November, but I don't see it in Linus's tree
> anywhere.  Did something happen to it?

I think Dave applied a slightly different patch to do more-or-less
the same thing.

commit 013cd397532e5803a1625954a884d021653da720
Author: Jianjun Kong <jianjun@zeuux.org>
Date:   Mon Nov 10 21:37:39 2008 -0800

    mac80211: fix a buffer overrun in station debug code

    net/mac80211/debugfs_sta.c
    The trailing zero was written to state[4], it's out of bounds.

    Signed-off-by: Jianjun Kong <jianjun@zeuux.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Hth!

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [stable] [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write
  2009-02-13 21:30   ` John W. Linville
@ 2009-02-13 23:43     ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2009-02-13 23:43 UTC (permalink / raw)
  To: John W. Linville; +Cc: linux-wireless, Johannes Berg, Andrew Morton, stable

On Fri, Feb 13, 2009 at 04:30:50PM -0500, John W. Linville wrote:
> On Sun, Feb 08, 2009 at 12:25:27PM -0800, Greg KH wrote:
> > 
> > John, the patch below seems to have David Miller's ack that he applied
> > it to a tree back in November, but I don't see it in Linus's tree
> > anywhere.  Did something happen to it?
> 
> I think Dave applied a slightly different patch to do more-or-less
> the same thing.
> 
> commit 013cd397532e5803a1625954a884d021653da720
> Author: Jianjun Kong <jianjun@zeuux.org>
> Date:   Mon Nov 10 21:37:39 2008 -0800

Ah, thanks, I missed that, I'll go add it to the queue.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-02-13 23:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-07 20:26 [PATCH] mac80211: avoid possible buffer overrun in sta_agg_status_write John W. Linville
2009-02-08 20:25 ` [stable] " Greg KH
2009-02-13 21:30   ` John W. Linville
2009-02-13 23:43     ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).